Recently, hundreds of intimate and revealing photos of female celebrities, including Oscar-winner Jennifer Lawrence, were posted online, apparently after being stolen from their iCloud accounts.
Some of those images, many of which were presumably taken with iPhones and other Apple devices, had reportedly been deleted from iCloud years earlier.
Apple denied that there had been a breach in Apple’s own security:
We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
It’s been suggested that hackers might have gained access to the photos by guessing passwords or answering so-called “security” questions. Code allowing hackers to make multiple guesses without being blocked on Apple’s “Find My iPhone” service was posted online.
Gaining access to “Find My iPhone” also let hackers into iCloud. Apple says it has since changed this.
Newsweek reported that in 2011 a Florida hacker logged into the accounts of Scarlett Johansson, Mila Kunis, and others by guessing their email addresses and answering their security questions based on well-known information about the stars. He eavesdropped on their email conversations for over a year before he was caught.
Regarding the recently leaked phots, according to Apple, “None of the cases we have investigated has resulted from any breach in any of Apple’s systems.”
The problem, of course, is that static-password-based “security” is so weak you don’t need a “breach” in order to get past it.
In the celebrity photo scandal, hackers apparently got access to iPhone pictures via the cloud. However, phones and other mobile devices are becoming increasingly vulnerable as well.
Security company McAfee reports that 3.73 million pieces of mobile malware were circulating in 2013 – an increase of 173% over the previous year.
Malware can get into phones via various methods, including ads. According to McAfee, these ads may be delivered via legitimate ad networks, may not be obvious spam, and may contain Trojan viruses or lead to malicious websites when clicked.
Another risk comes from “keylogger” flaws that allow hackers to see everything a user does on a phone – including enter passwords for financial accounts and other sites.
Two-factor authentication is becoming an increasingly common way to enhance security, and it’s sensible for everyone to use it when available.
However, even two-factor authentication isn’t good enough to stop a determined hacker.
What we need is PACid’s Bolt-on Strong Security (BoSS), deployed industry-wide as an industry standard for data protection.